ISO/TS 22317 Security and resilience – Business continuity management systems – Guidelines for business impact analysis

This project will revise ISO/TS 22317, a technical specification which was first published in September 2015. The document provides detailed guidelines for implementing and maintaining a business impact analysis (BIA) process consistent with the requirements in ISO 22301 Business continuity management systems. It includes examples and various methods to perform the BIA process and introduces justification for their use.

In May 2019, to the committee agreed to review the standard, the main objective of which is to guide practitioners wishing to analyze the impact of a disruption on their organization.

Uxía Fernández, project leader responsible for the revision of ISO/TS 22317, explains:

“ISO 22301 defines business continuity as the “capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.”

Taking this definition as a starting point, it becomes clear why the BIA is such an important element of business continuity management systems (BCMS) since it allows an organization to:

prioritize its products and services for recovery.
define acceptable time frames for the recovery of those products and services.
learn what predefined capacity means for its activities, providing information regarding the levels of operation that are to be achieved.
understand how impacts change over time, allowing the organization to react appropriately during the different phases of a potential disruption.

Thus, as the ultimate objective of BIA is to provide an input for the definition of business continuity strategies and solutions, the organization’s business continuity capabilities will depend substantially on the quality of its BIA process.

For this reason, we recommend dedicating sufficient time to conducting a BIA and updating it on a regular basis. Only in this way can an organization be sure that its continuity strategies and, ultimately, its plans are applicable to its current situation and will prove useful in case of a disruption, regardless of its causes.

This revision of the technical specification simplifies the BIA process, aligning it with the requirements of ISO 22301:2019 and introducing new annexes with examples.

Uxía Fernández, states:

"This review is proving to be a great challenge, especially during the pandemic, since the project team is made up of experts from 9 countries working in very different time zones without the possibility of face-to-face meetings.

I would like to take this opportunity to thank all the members of the project team for their involvement and effort throughout these months, sometimes attending meetings in very challenging time frames. I hope the final document meets the expectations of the practitioners who use it.”

The revised version of ISO/TS 22317 is due to be published in September 2021

Upcoming events

[TBD] October, Zoom
Communication Group meeting

2022 June, Berlin
9th ISO/TC 292 plenary meeting

Topics

Authenticity, integrity and trust for products and documents
Business continuity management
Community resilience
Crisis management
Emergency management
Event management
Organizational resilience
Protective security
Supply chain security
Terminology

This website has been developed by Swedish Civil Contingencies Agency in collaboration with ISO and Swedish Institute for Standards responsible for the ISO/TC 292 secretariat

An overview of ISO/TC 292 can also be found at the ISO webpage.

ISO

SIS